SQL Server Security Concerns

WEBINAR:On-Demand

A survey of SQL Server pros highlights the challenges posed to database security by such factors as insider threats, human error and poor patch deployment.

Only a third of SQL Server professionals polled in a recent survey say that personal identity information, such as Social Security and credit-card numbers, are encrypted in all of their databases. Another 25 percent say they aren't using encryption
to protect the data at all.

These are among the key takeaways from a survey performed by Unisphere
Research and sponsored by Application Security, a database security solutions vendor. The
report features data culled from a survey of 761 members of the
Professional Association for SQL Server (PASS) in September 2010.

Among its
findings: While 20 percent of respondents say a data breach in their organization is either "inevitable"
or "somewhat likely" during the next 12 months, a full two thirds describe such an event
as "highly unlikely" or "somewhat unlikely."

Many SQL Server pros identify human error as
the greatest
risk to security, with 65 percent citing it as the most
significant challenge.

Hiding under human error's umbrella are problems
such as:

nonmalicious policy violations that result in data being compromised;

mistakes that occur during the often manual process of reviewing user
rights.

Behind human error, the most commonly cited challenges to database security
are insider hacks and abuse of privileges (44 percent of respondents).

When asked if their existing database controls provide
adequate protection against breaches and attacks, 69 percent of respondents say that all or
most of their databases are secure. However, 18 percent say most of their
databases are not adequately protected. Only 33 percent say personal identity
information such as Social Security and credit card numbers is encrypted in all
of their databases. Another 25 percent say they aren't using encryption
to protect the data at all.

Data masking technologies are used even less frequently than encryption: Only 20 percent are using it
in all of their databases to protect personal information, compared with 36 who say they are not using such tools.

Patching remains slow. Only 20 percent of respondents say they deploy SQL Server patches as soon as
they are delivered by Microsoft; 31 percent apply security patches at least
once a month. Nineteen percent said they update at least once a quarter, and 10
percent put it at once every six months.